UserLock Single Sign-On (SSO) provides federated authentication to cloud applications, using on premise Active Directory (AD) Identities. With one set of AD credentials to access all resources, it puts the organization firmly back in control of user access.
Extending Active Directory SSO
Adopting a SSO solution should be a key initiative for any company, regardless of size. It allows end-users to authenticate once and get access to all corporate resources. Active Directory (AD) is of course, a fine example of an SSO solution. All domain resources joined to the AD can be accessed without the need for additional authentication.
With UserLock SSO, organizations can extend this AD single sign-on to easily secure Microsoft 365 and other cloud applications that are beyond the boundaries of a company’s domain. Combined with a granular multi-factor authentication, it allows employees to continue using their existing, on premise AD credentials to access multiple cloud applications. No separate, external or centralized identity provider needs to be created and managed. No change in access security is needed for resources and applications run within the company network.
Here we look at four key advantages for organizations who provide SSO using Windows AD accounts:
- It ensures all users have a single set of login credentials
- It makes SSO easy by retaining Active Directory as your Identity Provider
- It combines with granular MFA to ensure secure SSO access
- It improves employee productivity when working both on site and remotely
1. Ensures all users have a single set of login credentials
Cloud applications provide the ability to access their resources through federated authentication. It provides a secure way to pass the authentication process to a separate trusted authentication system to verify the user’s access, using a separate directory (Identity Provider).
UserLock SSO has been developed to be such a trusted authentication system. It enables organizations to use their own, existing corporate identity repository (i.e. their on premise Active Directory credentials) for the federated authentication of multiple cloud applications.
SAML which stands for Security Assertion Markup Language is the open standard that implements this secure method of passing user authentications and authorizations between the Identity Provider (Active Directory) and the Service Providers (cloud applications). SAML has been widely adopted for three primary reasons: SAML is standardized, secure, and provides an excellent user experience.
UserLock supports SAML 2.0 protocol to provide this federated authentication of cloud applications.
- User goes to a cloud application they’d like to log into.
- The cloud application (SAML Service Provider) redirects users to UserLock SSO with a SAML request message.
- Users are then authenticated on premise with their existing Active Directory credentials
- If enabled – they are prompted for a second authentication factor by UserLock
- If successful, access to the cloud application is then permitted
Now, rather than having separate logins to Active Directory, Microsoft Office 365, CRM software etc. UserLock SSO ensures all users have one single set of credentials to access everything.
- One set of login credentials stops the sprawl of different usernames and passwords, which came about through the rise in SaaS cloud-based applications, and reduces the chance of successful phishing attempts.
- One single centralized identity ensures accurate entitlement - where access is given only to resources the users need to do their job.
2. Retains Active Directory as the Identity Provider
If an organization wants to adopt Office 365, Box and Slack, they may be put off with three sets of logins and passwords for these services. In this situation UserLock SSO becomes a prerequisite for organization looking to adopt cloud solutions. It makes SSO easier for organizations by retaining Active Directory as the authoritative identity provider, while extending it to work with the cloud.
In addition, SSO needs to connect to more than just web applications. SSO must enable end users to access their physical and virtual file servers, legacy and web applications whether they are in the office or working remotely, from multiple machines and devices.
With UserLock SSO, organizations can continue to use Microsoft Active Directory which streamlines all account management. It continues to be the central place to create and configure an employee’s roles and services and remove them on their departure or when they no longer needs access.
With UserLock SSO, organizations can benefit from a non-disruptive SSO solution that leverage’s their existing investment in Active Directory to effectively secure user access to both the corporate network and multiple cloud applications.
- No separate, centralized identity directory needs to be created or passwords synchronized.
- No need to change how users authenticate to on premise and legacy applications. They continue to be managed by Active Directory.
- Accounts, services, roles and group policies continue to be enforced.
- On premise authentication is retained for maximum security.
- On-boarding to new SaaS applications is faster and easier.
- As IT can provide secure cloud access more easily, there is less likelihood of ‘shadow IT’ developing.
3. Combines with granular MFA for improved security
Secure SSO is best achieved when combined with multi-factor authentication (MFA).
SSO does improve security as there is less password sprawl and less user credentials at risk. However, in its use of a single set of credentials, if those credentials are not protected correctly and are compromised, then an attacker has access to any and every application provisioned for them by IT.
UserLock makes it easy to combine SSO with its own granular MFA to address this single password vulnerability. The conditions and frequency for MFA can be customized to ensure the protection you need but without unnecessarily impeding employees. MFA can still be prompted – and access therefore granted - on remote machines disconnected from the corporate network and on machines with no internet connection within the corporate network.
Supporting both authenticator applications and one-click programmable tokens such as YubiKey and Token2, UserLock can protect SSO by enabling MFA from the following connection types:
- All devices with Active Directory membership and standalone terminal servers
- RDP logons including RD Gateway connections
- VPN connections that support RADIUS Challenge or use Microsoft RRAS
- Microsoft IIS for Windows Server to protect Outlook on the Web or RD Web Access.
- A virtual desktop infrastructure (VDI) such as Microsoft, Citrix, VM Ware…
4. Improves employee productivity from any location
A key benefit of SSO is the ease of use for end-users. By removing different cloud application credentials and eliminating the re-authentication of credentials, each user spends less time on the access process leading to improved productivity.
With UserLock SSO, users don’t need to authenticate each time to access each cloud application.* If a user has already authenticated to the corporate network, a prompt for login credentials won’t be needed.
A second authentication factor may be asked for depending on the circumstances and frequency. The ability to combine SSO and granular MFA means administrators can avoid prompting the user for MFA each time they log in to help balance security with productivity.
Furthermore, users are also working from devices and locations that IT doesn’t control. UserLock SSO enables users to securely access cloud applications wherever they are, and on whatever device they are using.
*Browsers that natively handle Windows authentication such as Internet Explorer, Chrome or Edge. The behavior can be different with other browsers. Firefox will prompt for credentials except with the SSO url is added as a trusted NTLM url.
With UserLock SSO:
Access via a browser for users already authenticated to the Windows network
Access is immediately granted. UserLock SSO asserts the user’s identity to the cloud application and is authenticated without the user having to log in to the application. There is no difference whether inside the corporate network or working remotely.
Access via a browser for users who are not authenticated to the Windows network
The user enters their corporate email address in the cloud application to login. UserLock SSO will then prompt the user for Windows domain login credentials (and a possible second authentication factor if enabled). The user is logged in successfully and redirected back to the application. There is no difference between a smartphone browser, a computer browser or a mobile app.
Once the UserLock SSO server has allowed a user to connect to a specific SaaS cloud application, the SaaS application creates an “authorization” cookie that is used with each request made. This cookie is generally automatically refreshed so there is no need to re-authenticate.
Any attempt to then access a second, different cloud application.
Access is immediately granted. Multi-factor authentication can be requested at each logon if required in the administrative settings.